[Snort-users] Snort dies after a few days.
bmccarty at ...5196...
Mon Mar 25 10:09:03 EST 2002
My Snort, running under RHL 7.2 and using RH kernel 2.4.9-21, sometimes
dies after a few hours of operation. When it does, it restarts cleanly, so
I don't suspect configuration or environmental problems. However, unlike
Emilio's case, Snort doesn't log an exit message. Neither does it log a
message when the network interface enters or leaves promiscuous mode,
apparently because the interface is configured without an IP address.
Moreover, from time to time, I inspect the TCP data in the packet logs.
There, I regularly see Snort rules and other Snort-related data in the
payload. I believe these are due to buffer overflows or other software bugs
within Snort or possibly libpcap. My network is small and has relatively
low traffic; moreover, it has limited bandwidth and therefore limited
potential value to hackers other than novices. So, I tentatively rule out
the paranoid possibility that hacked systems are using covert communication
to transmit Snort data outside the network.
Q: Other than configuring for core dumps as Phil suggested, how can I best
configure Snort to provide useful debugging data for its developers? Or,
what data can I collect that might help discover -- better yet, fix --
Just wanna help if I can <grin>.
--On Monday, March 25, 2002 9:02 AM -0700 Phil Wood <cpw at ...440...> wrote:
> There has been a discussion on the tcpdump.org list that indicates that
> RH 7.2 is broken in regards to libpcap and packet timestamps. You might
> want to upgrade your kernel to 2.4.18 (www.kernel.org).
> [not for the uninitiated.]
> PS: If you make sure that your snort environment is providing "core"
> prompt: ulimit -c 10000000
> prior to starting snort, and you have a snort compiled with '-g', then
> you could send information to the list that would be helpful. See:
> On Mon, Mar 25, 2002 at 09:56:25AM +0100, Emilio Mira Alfaro wrote:
>> I'm using snort 1.8.4-beta4 I compiled with mysql and flexresp
>> support, libpcap 0.7.1, on RH 7.2 and it's listening from an ATM
>> interface. It's running ok, but after a few days, it dies for some
>> unknown reason. In /var/log/messages I get:
>> Mar 24 10:40:57 abc snort: Snort received signal 15, exiting
>> Mar 24 10:40:57 abc kernel: device atm0 left promiscuous mode
More information about the Snort-users